Like all things in life, it’s easy when you know how and difficult when you don’t. This is never more true than in the case of email systems. In a previous article we looked at installing MailPlus Server with a 3rd Party Relay Agent to do the heavy lifting. In this article we are going see how to install Synology MailPlus Server as a Synology end-to-end solution, with no 3rd party relay servers. This introduces a lot more complexity.
I couldn’t properly understand the subject without a visualisation so I created a diagram that shows roughly how it all fits together. Note: It’s like the map of the London Underground – what’s shown on the map isn’t intended to reflect the above ground geography because that would make it much harder to read.
The numbered circles correspond withexplanatory notes and installation guides in the expanding sections beneath the diagram.
Installation of MailPlus is simple so it won’t be covered here, except for this tip…
Home users should take a look at some of the settings with numeric values because the defaults may be high for that purpose.
(1) Mail attachments are still limited to 2MB on some very old systems, with 10MB being a sensible limit. If you’ve got a Synology box, then sending shared links makes sense – just in case the recipient has email limits such as a 200MB mailbox (this setting is made in MailPlus not MailPlus Server:
Synology have placed some Security options in this section instead of the security section. No, I don’t know why either. So set them up while you’re here:When the user presses Send, MailPlus Server will make a DNS request for the IP address associated with the domain name so that the recipient’s mail server can be located. If an IP address is found, the message is dispatched to that server.
If no IP address can be found for the recipient’s mail server the MailPlus Server will queue the item and attempt to redeliver it, in case the receiving server is temporarily unavailable. The user will be advised of the delay from time to time. If successive resends fail the mail is returned to the sender with a covering message.
Your domain name host will have provided you with access to a control panel where these settings can be found. Each provider’s pages will look different but do essentially the same thing.
At (1) enter the static IP address assigned to your router
The value entered at (2) depends on your circumstances. If your domain host and your ISP are the same company, then you should enter your FQDN usually “mail.”<domain name>. If your domain host and ISP are different, it’s best to enter the domain associated with your account by your ISP when you signed up, in my case p*********.plus.com. This is because some email servers validate incoming mail by comparing the sending domain to the domain recorded against the IP address, and may treat a mismatch as a warning sign.
If the user name is valid the mail will be subject to scanning by the receiving server for viruses, spam and other malicious content. We are not concerned with how that is performed or what level of scanning is applied. That is their responsibility. We will be looking at our inbound filtering later.
1) SMTP is only used for “SENDING” emails, either from the mail client or from the MailPlus server to someone else.
2) IMAP is only used to synchronise a Mailbox with multiple devices such as Thunderbird and Android or iOS devices.
3) POP31 is now rarely used for general email as it was designed to only transfer email from one server to one email client (when people only had an office PC and storage on the mail server was expensive, it made sense to transfer the emails to the user and delete them from the server)If you need to receive mail from another service, such as Gmail the simplest solution is to set up a forwarding rule on that service to send a copy of any incoming mail to your domain account. Once it arrives on the server it will be managed using IMAP.
At first you might want to leave a copy of the incoming message on Gmail so that you can double check all incoming mail is being received, but that mailbox will not reflect the items you delete and reply to, so it’s value as a backup is limited. Later, you can easily change the Gmail forwarding rule to delete the mail after it has been forwarded.
1By the way, you may be wondering why I have shown the IMAP/POP3 protocols against the recipient’s mail server instead of our MailPlus Server where we need to implement them. The answer is simple – for clarity in the diagram. It would have seriously confused things if I had added them to the MailPlus boxes on either side. This is why I described the diagram as like the London Underground map – designed to help you understand what’s happening underground, but not what it looks like above ground.
At the time of release of MailPlus Server 2.0.0-0522 there is some uncertainty about SpamAssassin rules, because that capability is still in the product. It’s unclear whether this is an oversight or whether SA rules work with Rspamd. For now, I have left the instructions as they were. I will update this article when I know the outcome. In the meantime, you can proceed with the setup and just ignore the references to SA rules. In all other respects, Spam filtering setup is the same.
The MailPlus Server in-app help, accessible from the spam setup screens is very good so please refer to it for more information.
Synology have done a good job of integrating the SA tool-set into MailPlus Server and have reduced what could be a very cumbersome and difficult to maintain task into a reasonable number of steps which, unless indicated to the contrary, are one-off setup tasks:
- Find and import additional spam filtering rules
- Set rules update schedule
- Enable Auto-learning
- Set spam trigger levels (tweak periodically)
- Enable spam reporting
- Set daily schedule
- Enable postscreen protection
- Enable greylist (one off, but only after auto-learning has been running for a while)
Number 1 on the list is the most time consuming but Synology have made that easier by providing a link to a website from where rules can be obtained, although they have buried it in the in-app help file rather than putting it directly on the screen where you need it. Some of the rule-sets require a bit of detective work to find. For example, the Malware Block List is one of the most detailed filters there is (over 330,000 lines long) but you have to dig deep to find it. To help you, here is the sign-up link for the free home version.
These rule-sets add extra filters to complement the basic filtering performed by SpamAssassin. They are plain text files with a .cf extension. In many cases a filter’s site doesn’t provide a .cf file to download. Instead you have to copy the plain text from their page and paste it into a new text file that you give a file name and .cf extension. Then you import it into MailPlus Server. It is also slightly strange that several of the first entries on the page are dead links. It may be that new rule sets are added to the end of the page, and those at the top go stale without being removed.
Custom rule sets can be defined but that should be left for another time, if at all. SpamAssassin’s site says that this should only be necessary if the profile of your mail traffic is outside the norm. The existing rule sets cover most eventualities. If you need to create a custom rule there’s a link to an instruction site in the in-app help page.As a starting point, I enabled all of the items except Greylist, which will be turned on later after auto-learn has been running for a while (as advised in the Help System.)
The Anti-Spam settings defaults were also accepted:
SpamAssassin rules were added, sourced from the website provided in the in-app help system. As described above, I did not install MalwarePatrol.cf
Auto learning was enabled using the default settings which may need to be tweaked based on live results.
I encountered a problem with reporting (1). For some reason forwarded spam and false spam have to be reported to two different email addresses. Because I didn’t want to dedicate a precious licence to this, I tried to use aliases but because they resolve to the same named account, the system would not accept them. For now I have disabled that facility.
Default DNSBL settings were accepted because spamhous.org is widely recognised as an authoritative source:
Formatting the SPF record
SPF records can be complex, with many switches to perform different functions. Fortunately for us, our SPF record can be much simpler:
v=spf1 a mx ip4:xxx.xxx.xxx.xxx ~all
For an explanation of these parameters click here.
Next you must enter the value in a TXT record on your domain’s DNS settings1. In your domain host’s control panel, look for the ability to add CNAME/TXT/SRV records and choose a TXT record type.
1 Some registrars (including Fasthost) still support the now obsolete “SPF” record as well as the recommended “TXT” record.
1. Turn DKIM on for incoming mail to validate the sender. The lack of a DKIM signature lowers the reputation of the sender, possibly resulting in dropped mail.
2. Enable it for your outgoing messages. That makes the next field mandatory.
3. DKIM selector prefix is a free text field where the user labels the public key by which their service is validated. I have used a naming convention of <DiskStation name>-<domain name> but you can use whatever label you want. At this stage you only enter the prefix. When you deploy it later, the label will be followed by “._domainkey” so in this case the complete selector is nas3-rrett._domainkey but for now just enter prefix that you want. NOTE: There are limitations on the characters in your label. For example, the . and _ characters are not allowed. If your chosen prefix contains invalid characters your domain host will probably not let you save the record.
Enter your chosen prefix. “default” will be sufficient.
4. DKIM uses RSA validation where there are private and public keys that are matched and validated. The public key will be required in later steps. Press Generate Public Key button and accept the warning that the private key will be updated; it needs to be to match the public key. (If you ever have a need to regenerate the key, the warning is a reminder to update the TXT record in your host’s DNS settings.) Apply the settings.
5. Next you must enter the public key details to a TXT record on your domain’s DNS settings. In your domain host’s control panel, look for the ability to add CNAME/TXT/SRV records and choose a TXT record type
At 1, enter the prefix you defined in step 4 above, followed by ._domainkey
At 2, enter the highlighted values manually and then paste the public key. You can copy the values from here:
Note 1: In the image shown above, my ISP’s control panel has wrapped the text, which makes it appear to have a line break. In reality, you must enter the DKIM values and key as one continuous string without line breaks.
Note 2: The value should be DKIM1 not DKIM.
Save the settings. They should take effect almost immediately. Validate them using MX Toolbox
v=DMARC1; p=none; pct=100
|-dmarc.example.com||The prefix to be used in the TXT record on the domain’s DNS Settings, followed by the domain name|
Defines the TXT record as a DMARC item
Defines the policy to apply when a message fails the DMARC checks
none = delivered as normal. quarantine and reject are self explanatory
The percentage of mails to which DMARC rules will be applied. With Policy set to none and percentage to 100, all mails will flow. If we apply a policy such as quarantine, leave the pct at 100 and make a mistake in the overall rule set, 100% of our mail could go to quarantine. Worse, if we set the policy to reject and pct to 100, all our mail incoming mail could be dropped. It’s therefore important to reduce the pct value to a really low figure as soon as a policy is introduced. Better to let some suspicious stuff past the filters at first to make sure mail is flowing. The quarantine policy can then be introduced with a pct value setting of 5 to 10. Monitoring of quarantined content will show you whether you need to be more or less aggressive with the pct level.
It should come as no surprise that the DMARC record is added to your domain’s DNS settings in Control panel as a TXT record, just as we did earlier for SPF and DKIM records.
The label for the TXT record takes the format:
Note: there is an exception to the rule for 1&1 hosted domains. See image below. 1&1 will take the .dmarc prefix and append your domain name automatically.
The value is:
v=DMARC1; p=none; pct=100
Save the record and check it is working correctly, as we did for SPF & DKIM records.
DMARC has many additional attributes than can increase its capabilities, including two that combine DMARC with elements of SPF and DKIM respectively, for increased authenticity.
I chose to not convert html into plain text. This may be effective on a simple message with an html tag or two within it but many genuine emails contain so many that they are impossible to read in plain text format. I prefer to use the specific tag options to “Make tags ineffective” so that the end user can still read the mail but potentially dangerous tags are deactivated.
- Defining rules looks like a tedious and error prone process with some complex masking requirements in some cases.
- Some example rules are given but I could not discover what all of them mean. For example ex_tw_identify_number has a complex mask that doesn’t match either of the first two candidates that I found from a web search, “Twitter ID” and “Taiwanese ID Number.” But while researching those, I found a source that states that as of 2016, Spam Assassin is the better way to handle content protection. I have already activated Spam Assassin so it’s just a case of ensuring the correct filter files are loaded.
I hope you found this guide useful. I try to update it when I discover more about the products involved. If you have any comments or better solutions, I’d love to hear from you. You can use the Comments area below or the Contact link in the top menu.